Configuring gMSA account to run ApexSQL Audit processes

Applies to

ApexSQL Audit

Summary

This article demonstrates how to use group Managed Service Account (gMSA) to run ApexSQL Audit processes.

Description

Group Managed Service Account as a feature provides automatic password management within a domain and simplifies service principal maintenance. The periodically changed password will be automatically updated and retrieved from the domain controller, which adds to security techniques that are commonly followed nowadays.

To completely utilize this feature to run ApexSQL Audit components, requires both central and audited service to run under the specific gMSA account. In below text we will distinctively describe how to configure each service to run under gMSA principal.

Central process

To configure central process using gMSA account, the application installation has to be performed.

ApexSQL Audit installer can be instantiated either:

  1. By running ApexSQL Audit.exe installer file
  2. Running ApexSQL.Audit.installer.exe file from the installation path if the product is previously installed already, the default location path is “C:\ProgramFiles\ApexSQL\ApexSQL Audit\ApexSQ.Audit.Installer.exe”

No matter the choice, ApexSQL Audit central configuration dialog will prompt for the setup input.

To complete the installation:

  1. In the Credentials configuration group select “Group managed service account” option
  2. Type the Username for the gMSA account
  3. Click OK

ApexSQL Audit central instance configuration dialog

Shortly after the installation processing, the central background process will be started and running under the used account:

ApexSQL Audit central background process

Distributed (remote) process

Audited (distributed) agent configuration is much likely easier and faster to configure through the application interface.

To complete the process:

  1. Run ApexSQL Audit application interface
  2. Switch to the Configure tab in the main application ribbon menu
  3. Highlight the SQL server instance for the account change and click Edit
  4. In the Auditing agent properties dialog choose the “Group managed service account” option in the Credential section
  5. Type the account username
  6. Click OK

ApexSQL Audit auditing agent properties configuration

The same dialogue will be available if the Add server option is clicked to configure new instances for auditing.

Right after the newly created process “ApexSQL Audit Processor Distributed” will run under the configured account:

ApexSQL Audit Processor Distributed running

With the explained easy setup, the gMSA account will be utilized to run auditing processes which, in long term, will prevent interruptions of those processes due to password changes for regular accounts.

 

Related posts:

  1. ApexSQL Audit installation recommendations, best practices and alternatives
  2. FISMA (NIST800-53 rev. 4) compliance checklist for ApexSQL Audit
  3. Remote installation of ApexSQL Audit auditing instance (service)
  4. ApexSQL Audit installation guides